Tripwire IP360 API Connector Page

Vulnerability management solution Tripwire IP360 provides visibility into your network, both on-premise and in the cloud, including all devices and their associated operating systems, applications and vulnerabilities. The Tripwire Vulnerability and Exposure Research Team (VERT) keeps Tripwire IP360 up-to-date with accurate, non-intrusive discovery signatures that are current and relevant to large organizations.

*Please note that as of 2013, Tripwire acquired nCircle and nCircle IP360 is Tripwire IP360.


To import your data from Tripwire IP360 to the Cisco Vulnerability Management module, you will need to leverage the Tripwire Connector under the Vulnerability Management category on your Connectors Page.

The Connector is a full run connector, unless the scan_type is a Partial Scan. Then Cisco Vulnerability Management will pick up the full report from the partial scan and upload that data. 

User Prerequisites/Connector Setup:

  • Given that connector is an API Connector the service Account you wish to leverage must have access to the Tripwire API.

  • Your service Account must also have access to all the scan data you wish to import.

  • If your Tripwire scanner is on premise you will need to have the Kenna Virtual Tunnel set up prior to attempting to run the connector. 
    • If you do not have the Virtual Tunnel set up and your scanner is on-premise the connector will fail. 

 

Configuring your Connector in Cisco Vulnerability Management

 

To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select Tripwire.

Tripwire_select.png

 

Once you select the Tripwire API Connector, the following screen will appear:

 

Tripwire_Config.png

 

  • Enter a name for the connector, or leave it as “IP360 API” if you wish.

  • Enter the Username and Password for the account, along with the Host information.

    • If your host is static, enter the IP address and the port.

    • If your host is dynamic, enter the DNS and port information.

  • Schedule the Connector. Select the frequency at which you’d like your Connector to run. (we recommend mirroring the cadence of your Tripwire Scans).

  • Select the “Use Kenna Virtual Tunnel” checkbox below “asset inactivity limit” if your scanner is on-premise

  • Click Save and Verify.

  • If you’d like to set a connector level asset inactivity limit, you can do that at this time, or later. (We recommend 2-3x the scan cadence of your Tripwire Scans).

 

What Tripwire Items does Cisco Vulnerability Management Import?

Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:

Tripwire IP360 Field

Cisco Vulnerability Management Field

Notes

AppName or AppID

Application Name

 

Audit_id

scan_type

If the scan_type is a partial scan, Cisco Vulnerability Management will disable the auto-closing feature for vulns that do not appear in the export. For all vulns that appear in the scan we will update their status. For vulns that do not appear, we will not auto-close them. This is to prevent false auto-closures.

Vuln > name

Name

 

vuln_id

Identifier (Vulnerability)

 

vdescription

Description

 

 

Vulnerability Status

Only maps Open, Closed vulnerabilities.

cves

CVE

 

port

Ports

 

-N/A-

Last Seen

Cisco Vulnerability Management does not receive an explicit last seen date. We take the date of the connector run with the vulnerability present and utilize that datestamp as the Last Seen date.

end_date

Found On

 

-N/A-

Closed

Cisco Vulnerability Management does not receive an explicit Closed status from Tripwire. With the vulnerability export reports, any previously identified vulnerabilities that are no longer present (in a full scan) will be auto-closed as remediated.

-N/A-

Created

Date the vuln was first imported to Cisco Vulnerability Management. Not mapped to a Qualys field.

os_vendor

OS

If OS_Vendor hash is filled with “UNKNOWN_OS” we will remove this data and leave a null field rather than importing the asset with OS as “unknown_os”

hostname

hostname

If locators hash is filled with “UNKNOWN_HOSTNAME” we will remove this data and leave a null field rather than importing the asset with hostname as “unknown_hostname”

ip

ip_address

 

netbiosname

netbios

 

persistent_id

External Host ID

 

-N/A-

Tags

There are no tags or tag references for Tripwire

 

Optional Settings

The following settings can be enabled on the backend for Tripwire Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

  • Exclude Informationals

    • When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.

  • Skip Tags

    • This setting will allow you to NOT create any Tags within Cisco Vulnerability Management based on the scanner metadata.

  • Ignore Scanner Last Seen Time

    • If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

  • Tag Reset

    • This setting will assist in keeping your scanner metadata in sync with Cisco Vulnerability Management. Each time the connector is run, ALL tags within Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.

    • If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.

  • Custom Ordered Locators

    • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.

 

Common Reasons for Tripwire Connector Run Failures

  • Bad Credentials
    • If you enter the incorrect connector credentials during the connector setup, we will not have access to the Tripwire environment to make the API calls.
  • If no reports are found we will abort the Connector run, rather than fail it outright
  • If an API call fails (no data available, or other reasons)
  • Unexpected data returned

    • If Cisco Vulnerability Management receives data that is not in the expected format and we are unable to process it, the connector will fail.

  • If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector Run

 

Additional Assistance:

Please contact Support should you require any additional assistance with the Tripwire Connector.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.